There is much confusion between SFTP and FTPS, the former is a method of transferring files over the SSH protocol, the latter being a secure variant of the FTP protocol.

SFTP is a feature of OpenSSH, FTPS is a feature of a FTP daemon...

As with the topic above, please clarify... are you talking about a secure variant of "FTP" (RFC 4217) or an independent secure file transferring service over the SSH protocol. (Which doesn't have a published RFC, but this is quite close..).

I suppose to answer your question I would say I am talking about both.

Are TLS and sFTP not specific types of communication?

TLS being an addon to FTP; sFTP being SSH-FTP. Both of which from what I can tell occomplish the same sort of thing. (am I wrong?)

The links/forum post I do not believe answer my questions at all. I already know WHAT these terms mean and how to use sFTP (forum post).

My questions:

1. What are the key differences between using TLS and SFTP?

(in terms of security is one vastly superior, does one not do something the other does...etc anything I should be aware of between choosing between them)

2. Does PureFTPd have the ability to support SFTP?

(can I run the sFTP feature through PureFTP's configuration in order to make use of the sFTP security but maintain my other FTP policies - in other words is it possible to use PureFTP with SSH as apposed to TLS/FTPs or is TLS another name for SSH more-or-less?)

3. Will SFTP be compatible with the SQL database for authentication?

(can sFTP (or I suppose SSH) be made to lookup account info through a SQL database/my pureFTP SQL database)

4. Does anyone have any nice walk-throughs regarding this?

(are there any guides that walk through the installation of these on OpenBSD)

Thanks for your reply. My point with this topic is to decide what method to use to transfer files since both A and B will in the end occomplish the same thing; transfering a file from one location to another. I had thought I was clear that I understood that they are two seperate technologies. As is say PHP and ASP. They can probably do a lot of the same thing but one is probably better at some 'features' than the other. With that also note they probably can mingle together.

Forget that I mentioned I was already running FTP for a minute. Lets say I posted a message asking which would be a better solution for ME. FTP-TLS or sFTP. Now with that in mind (if you know) can you tell me what the advantages are and what the disadvantages would be? My end objective would be to transfer a file securely from one place to another. Is one more secure than the other? Does not only the login info but also the data get encrypted? Drawbacks? Possitives? Comments?

I was hoping that it might be possible to at least be able to forward credentials for SSH/sFTP to a SQL database, much like using a radius/AAA server for authentication (not related to FTP). It's unfortunate this is not possible.

No 3rd party products need be installed, it supports any number of authentication methods including Radius servers, the only thing "sftp" adds to SSH is provide FTP-like file transfer commands within an ssh session. Otherwise it is just plain-old-well-understood-well-audited-and-secure OpenSSH. Authentication can be loose or broad, as it is with any SSH configuration, and all packets are encrypted, including authentication packets.

I happen to like using scp, which allows file transfer from shell commands without an sftp client session.

Interesting comment. Sounds pretty decent for a standalone solution. The more and more I read I am beginning to realize that sFTP is not going to be a practicle solution for my requirements however. (unless you can suggest otherwise? --which would be awesome!)

Right now as indicated above I have a setup that relies off of SQL to hold authentication information. According to the above SQL is not compatible with sFTP(OpenSSH). I imagine with some work it could be "made" to interact with the database through a custom script or something of that nature but that would probably take a lot of work.

I am curious about your comment "it supports any number of authentication methods including Radius servers" --there isnt a chance you would know of a solution for my SQL dilema would you?

Also one of the big questions I have that remains is with TLS. What sort of encryption does it use? Is said encryption "strong" enough like ipsec or ssh?

(I never set up OpenSSH servers with password authentication, myself. My favorites are public key and S/Key challenge-response authentications.)

Host-based authentications may include ActivCard token, CRYPTOCard token, Kerberos ticket, Radius authentication, , SecureNet Key token, X9.9 token, or programmatic authentications. Program authentications via the "approve" and "approve-service" keywords are described in login.conf(5) but I know nothing about them, except they appear to be available for custom challenge/response techniques. This might be how you could interface your custom authentication with OpenSSH, or perhaps with your alternative file transfer solution.

A common programmatic authentication used in other Unix-like systems is PAM. All I know of PAM is that it is not one of the methods available on OpenBSD.

----

TLS (Transport Layer Security) is an authentication method based on public key authentication -- it uses certificates which include public/private key pair halves. To basic PKA it adds complexities such as commercial certification authorities (e.g.: Verisign), expiration dates (so that the certification companies get repeat business), and the like.

As an admin, you might have set up a secure web server (https), and set up a host certificate for it. If you *also* created a small set of client certificates to give to a set of users, to limit which clients could reach that server, you set up a TLS authentication system.

Thank you for your reply. Very informative. The programmatic solution sounds like it would be the only way, if it is possible at all, for me to use sFTP with my current setup. It does sound like it would be technically better to use sFTP as apposed to TLS. However SSL v3 isn't really all that bad either.

I think I have got what I was looking for with this post. I will continue as planned and use TLS for now as it does seem to be the easiest and least time consuming solution to implement for my situation. Thank you for your advise/info. Very much appreciated.

One other question I just realized. Does TLS/SSL also encrypt all the traffic like SSH does?

TLS is an authentication system. Session encryption is the responsibility of the application. Most TLS using systems I'm aware of (HTTPS, SMTP/STARTTLS) use SSL encryption. That doesn't mean all do. To confirm if your application does so, use tcpdump(8) with a large snaplen value to capture packet content.